Skip to content

[Code scan] Pin the Gitee mirror reusable workflow before passing secrets #566

Description

@njzjz

This issue was found during a Codex global code scan of the repository.

Baseline commit: e3c5b38

Problem

The mirror workflow passes SYNC_GITEE_PRIVATE_KEY to a reusable workflow referenced by the mutable main branch.

Code references:

git-mirror:
uses: deepmodeling/workflows/.github/workflows/mirror_gitee.yml@main
secrets:
SYNC_GITEE_PRIVATE_KEY: ${{ secrets.SYNC_GITEE_PRIVATE_KEY }}

Relevant snippet:

uses: deepmodeling/workflows/.github/workflows/mirror_gitee.yml@main
secrets:
  SYNC_GITEE_PRIVATE_KEY: ${{ secrets.SYNC_GITEE_PRIVATE_KEY }}

Impact

Any future change to deepmodeling/workflows@main changes the code that receives this private key. That makes the secret-bearing workflow dependent on a mutable external ref.

Suggested fix

Pin the reusable workflow to an immutable commit SHA or a protected release tag, and keep the Gitee private key scoped to the minimum required permissions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions